Ransomware continued to target the healthcare sector, while phishing attacks and insider errors lead to some of the biggest breaches in 2018. It is expected that hackers will continue to pummel the sector with targeted attacks through 2019 and beyond.
To learn from the security incidents of the year, we count down 2018’s biggest data breaches in the healthcare sector, as reported by Jessica Davis at HealthITSecurity.
10. HealthEquity: 190,000 Individuals
The data of about 190,000 HealthEquity customers was breached for about a month, after a hack on two employee email accounts. This was HealthEquity’s second breach this year. In June, a hacker breached another employee email account, compromising the data of 16,000 customers.
9. MedEvolve: 205,000 Patients
The practice management software vendor left its FTP server open to the public without the need for a login in May, which exposed the data of 205,000 patients from two separate providers. First discovered by a security researcher, the FTP server was configured to allow anonymous logins, not requiring login credentials, and failed to display a banner that could direct users not to access patient files.
8. Med Associates: 270,000 Patients
The Albany-based healthcare billing claims vendor discovered that a hacker accessed an employee workstation on March 22, when the computer displayed unusual activity. An investigation determined it was hacked and that the cybercriminal may have accessed 270,000 patient records. Social Security numbers were included in the breached data.
7. Oklahoma State University Center for Health Sciences: 279,865 Medicaid Patients
The Oklahoma State University Center for Health Sciences began notifying 279,855 patients in January that their data may have been breached, after a hacker gained access to the provider’s network. The cybercriminal accessed patient records that contained Medicaid billing data.
6. Augusta University Health: 417,000 Patients
The Georgia-based provider began notifying patients in August, of two cyberattacks that happened nearly a year ago. The health system fell victim to two phishing. The hackers were able to solicit usernames and passwords to gain access into internal email accounts. Once it was discovered, officials disabled the infected accounts.
5. LifeBridge Health: 500,000 Patients
The Baltimore-based health system fell victim to a malware attack, which potentially breached the data of nearly half a million patients for more than a year. On March 18, officials discovered a malware infection on its server. However, the investigation determined the hackers first gained access in 2016. The breach data contained a trove of patient details, from demographic information to insurance data and medical histories. For some patients, Social Security numbers were included in the breach.
4. Health Management Concepts: 502,416 Members
A ransomware attack quickly turned into a health data breach, when hackers were inadvertently provided with a file containing personal data of members. Officials discovered the ransomware infection in July on the server used to share files with clients. HMC paid the ransom to the hackers to release the files, which decrypted the data. Officials said they accidentally sent the file containing Social Security numbers, health insurance information and patient names to the hackers – but did not say how or why.
3. CNO Financial Group: 566,217 Customers
CNO’s largest unit, Bankers’ Life, began notifying customers of a breach discovered on August 7. Hackers accessed several employee credentials between May 30 and September 13. These unauthorized users used this information to access company websites, compromising the data of policy holders and applicants. Breached data included names, insurance details, dates of birth, and the last four digits of Social Security numbers. For some, complete Social Security numbers, credit or debit information, medications, diagnoses and or treatment details were included in the breach.
2. UnityPoint Health: 1.4 Million Patients
A phishing attack on the Iowa-based health system’s business email system breached the data of 1.4 million patients. This was UnityPoint’s second breach this year. In April, a separate phishing attack on staff email accounts at its Madison campus, compromised 16,000 patient records. The email system was hit with a series of highly targeted phishing emails that looked as if they were sent from an executive from within the organization. An employee fell for the scam, which gave hackers access to internal email accounts from March 14 to April 3. Notifications began in July.
1. AccuDoc Solutions: 2.65 Million Atrium Health Patients
The largest health data breach of 2018 was caused by a hack on billing vendor AccuDoc Solutions, which compromised patient data for a week. The North Carolina-based vendor prepares patient bills and operates Atrium Health’s billing system. The records were retained from payments made at some Atrium Health locations. The investigation determined hackers could view the data, but not extract it.
Want to make sure you're not on this lists for 2019? Contact the HIPAA compliance professionals at HIPAAcraticRx. HIPAAcraticRx provides medical practices with the tools they need to keep patient information secure and stay in compliance with today’s strict privacy regulations.